Patch "usb: gadget: u_ether: fix a potential null pointer dereference" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 16 Sep 2021 08:04:58 -0400

This is a note to let you know that I've just added the patch titled

    usb: gadget: u_ether: fix a potential null pointer dereference

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-gadget-u_ether-fix-a-potential-null-pointer-dere.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f6474c1b3fb379f2d472909666471925396a4f8d
Author: Maciej Żenczykowski <maze@xxxxxxxxxx>
Date:   Thu Jul 1 04:48:34 2021 -0700

    usb: gadget: u_ether: fix a potential null pointer dereference
    
    [ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ]
    
    f_ncm tx timeout can call us with null skb to flush
    a pending frame.  In this case skb is NULL to begin
    with but ceases to be null after dev->wrap() completes.
    
    In such a case in->maxpacket will be read, even though
    we've failed to check that 'in' is not NULL.
    
    Though I've never observed this fail in practice,
    however the 'flush operation' simply does not make sense with
    a null usb IN endpoint - there's nowhere to flush to...
    (note that we're the gadget/device, and IN is from the point
     of view of the host, so here IN actually means outbound...)
    
    Cc: Brooke Basile <brookebasile@xxxxxxxxx>
    Cc: "Bryan O'Donoghue" <bryan.odonoghue@xxxxxxxxxx>
    Cc: Felipe Balbi <balbi@xxxxxxxxxx>
    Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Cc: Lorenzo Colitti <lorenzo@xxxxxxxxxx>
    Signed-off-by: Maciej Żenczykowski <maze@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@xxxxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
index 156651df6b4d..d7a12161e553 100644
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -491,8 +491,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb,
 	}
 	spin_unlock_irqrestore(&dev->lock, flags);
 
-	if (skb && !in) {
-		dev_kfree_skb_any(skb);
+	if (!in) {
+		if (skb)
+			dev_kfree_skb_any(skb);
 		return NETDEV_TX_OK;
 	}
 






